Sweet, +1 then to adding this as an optional return parameter when receiving an access token.
On Mon, May 10, 2010 at 8:52 PM, Manger, James H <[email protected]> wrote: > Correct. All your examples match my intention, David. > > -- > James Manger > > > -----Original Message----- > From: David Recordon [mailto:[email protected]] > Sent: Tuesday, 11 May 2010 1:46 PM > To: Eran Hammer-Lahav > Cc: Manger, James H; OAuth WG > Subject: Re: [OAUTH-WG] Indicating sites where a token is valid > > If the sites parameter is not specified, would it default to the > domain of the authorization server. If it is specified, then the valid > sites are what is explicitly listed. Wildcards would only be supported > for subdomains and it would be assumed that any resource on that > domain is valid. > > Thus with the user endpoint being https://graph.facebook.com/oauth/authorize: > > 1) no sites parameter means the access token is only valid on > https://graph.facebook.com/* > > 2) sites key with a value of ["https://graph.facebook.com/";] means > that the access token is only valid on https://graph.facebook.com/* > > 3) sites key with a value of ["https://*.facebook.com/";] means that > https://graph.facebook.com/* and https://www.facebook.com/* would both > be valid (among other subdomains) > > 4) sites key with a value of ["https://graph.facebook.com/";, > "https://api.facebook.com/";] means that only > https://graph.facebook.com/* and https://api.facebook.com/* would be > valid > > 5) sites key with a value of ["https://api.facebook.com/";] means that > the the token isn't valid on https://graph.facebook.com/ even though > that's the authorization server > > Obviously the sites parameter isn't restricted to being on the same > domain, just used it that way for these examples. Am I understanding > the proposal correctly? > > Thanks, > --David > _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
